[pycrypto] Policy changes - Now accepting patches from the U.S.

Paul Koning paul_koning at dell.com
Tue Nov 30 10:06:58 CST 2010

On Nov 30, 2010, at 8:08 AM, Dwayne C. Litzenberger wrote:

> On Tue, Nov 30, 2010 at 06:49:17AM -0500, Paul Koning wrote:
>> In this case, it seems to me you're changing PyCrypto from a project that 
>> is NOT "subject to the EAL" (the U.S. Export regulations) to one that is.  
>> Are you sure you want to do that?
> No, I'm not sure, really.  All of your concerns are valid.
> However, PyCrypto is stagnating, and I think it's partly due to the 
> no-US-origin policy that I had adopted.  Instead of having a lot of people 
> contributing to PyCrypto, we have a lot of people asking for things on the 
> mailing list, but not contributing because I've told them that they can't.
> If PyCrypto had been getting the contributions it needs from outside the 
> US, I would have maintained the old policy.

Indeed it's a limitation.  I remember the exact same issue in the days of the FreeSWAN project (which was also Canada-based, and had a strict "no US contributions" policy that was not relaxed).

> Also, I've always *acted* as if the US rules applied to PyCrypto, even 
> though I strongly suspect that they don't, because I've never been sure 
> enough about it to be confident in completely ignoring the US rules.  This 
> has put me into the bizarre situation of following the US rules, but not 
> accepting US contributions.
> In any case, there's no reason to panic.  Because of the way the 
> regulations work, the US rules don't automatically apply just because there 
> are 10 lines of US-origin code in PyCrypto.  It's some weird rule like 
> "over 50% of the value of the export", so if the people who are concerned 
> about this policy change can garner the necessary non-US contributions so 
> that they clearly overwhelm US contributions, please do so.  It shouldn't 
> be impossible: there have been very, very few people contributing to 
> PyCrypto lately.  (Thank you to those people!)

50%?  I must admit that it's a while since I seriously studied the rules.  So I did some reading.  There are definitions of what fraction is "de minimis" ("too small to matter") -- the one that appears to apply is 10%.  And there are some conditions where *any* contribution is enough to matter; I did not analyze all the specifics. (If you want to do the reading, see section 734 of the US export regulations.)
> As for the actual regulations, from my perspective, the current Canadian 
> and American rules aren't that different from each other, as far as 
> software "in the public domain" are concerned.  Both countries maintain 
> lists of countries that you can't deliberately export to, and the US 
> additionally requires a one-time "TSU NOTIFICATION" email.

One consideration is that you may be traveling down a one way road.  Once you take this step you can't go back.  While today's regulations may make that tolerable, tomorrow's may not be so benign.  The export rules are subject to random change at any time, without any rational process involved.
> Sigh.  I just wish crypto would get dropped from Wassenaar so that we could 
> stop having these useless converations.  I can dream...

Indeed.  But as I said, these things are not subject to anything even remotely resembling rational processes.


More information about the pycrypto mailing list